Brief description: Certain versions of PHP/FI have a buffer overflow that can be triggered by a remote user
Full description: Certain versions of PHP/FI have a buffer overflow which can be triggered by a remote user to gain access to the web server running PHP/FI as the UID of the http daemon. The buffer overflow is in the function FixFilename() in file.c . PHP attempts to pass strings whose length may be as long as 8,000 bytes into buffers as small as 128 bytes and that are allocated on the stack. This overwrites the return address, making it possible for an attacker to obtain shell access to the machine running the web server.
Components: PHP PHP/FI 2.0b10 (trusted), PHP PHP/FI 1.0 (trusted); PHP PHP 3.00 and later is not vulnerable (trusted).
Systems:
Effect(s) of exploiting: Attacker gains web daemon access.
Detecting the hole:
http://hostname/cgi-bin/php.cgi
The response tells you what you are running; for example,
PHP/FI Version 2.0b10
is vulnerable.
Fixing the hole:
Other information:
PA Classification(s):
RISOS Classification(s):
DCS Classification(s):
CVE Number: CVE-1999-0058 -- Buffer overflow in PHP cgi program, php.cgi allows shell access.
Attack:
Advisories: BugTraq ID 712 ; Network Associates Security Advisory #12 contains detailed information and code to patch the 2.0beta10 PHP program; Iss X-Force http-cgi-phpbo
Related Vulnerabilities:
Reporting: Secure Networks Inc. in Security Focus Advisory: NAI-0012 (April 17, 1997 )